Driver vulnerabilities can facilitate attacks on ATMs, point-of-sale (PoS) systems and other devices, firmware security company Eclypsium warned on Monday.
Eclypsium last year analyzed device drivers from major vendors and found that over 40 drivers made by 20 companies contained serious vulnerabilities that could be exploited to deploy persistent malware.
The firm now warns that the Windows drivers used in ATMs and PoS devices can be highly useful to threat actors targeting these types of systems.
A significant number of ATM malware families emerged over the past years, including the ones known as Skimer, Alice, CUTLET MAKER, Ploutus, Tyupkin, ATMJackpot, Suceful, RIPPER, WinPot, PRILEX, ATMii and GreenDispenser. Many of these pieces of malware allow their operators to conduct so-called “jackpotting” attacks, where the attacker instructs the targeted ATM to dispense cash.
According to Eclypsium, vulnerabilities affecting the drivers running on ATMs or PoS devices could allow attackers to escalate privileges and gain “deeper access” into the targeted system.
“By taking advantage of the functionality in insecure drivers, attackers or their malware can gain new privileges, access information, and ultimately steal money or customer data,” Eclypsium explained.
As an example, the security firm described a vulnerability found by its researchers in a driver present on Diebold Nixdorf ATMs. The driver in question provides access to x86 I/O ports, which is fairly limited in terms of functionality compared to other drivers. Nevertheless, a driver that provides arbitrary access to I/O ports can be useful in the initial phases of an attack, as it could allow the attacker to obtain access to PCI-connected devices, including external devices and the SPI controller, which provides access to the system firmware.
“What ‘PCI access’ means is that software would be able to communicate with PCI devices and as a result use them,” Mickey Shkatov, principal researcher at Eclypsium, told SecurityWeek. “Consider the following flow as an example: software uses the driver to perform I/O operations that translate to legacy PCI access, then the software uses that PCI access to direct a device to perform actions.”
“The Intel SPI controller is such a device that in turn can read/write to the system firmware on the on-board non-volatile memory. By gaining arbitrary access to the I/O ports, an attacker could potentially gain arbitrary PCI access, which in turn could allow the attacker to target data to and from PCI-connected devices,” Shkatov explained.
Eclypsium also pointed out that in the case of the driver used by Diebold Nixdorf, it could allow an attacker to install a bootkit on the targeted device as the driver is also leveraged to update the BIOS firmware.
The vulnerability was reported to the vendor, which released patches earlier this year. On the other hand, these types of security flaws can pose a risk for an extended period of time as it typically takes the manufacturers of highly regulated devices much longer to release patches due to compliance requirements. For instance, in this case, Eclypsium says its research was completed in May 2019, but it could not disclose its findings until now.
Moreover, it can take a lot of time for the updates to reach all end devices, which often still run outdated operating systems, such as Windows XP and Windows 7.
Eclypsium believes there are likely many other vulnerable drivers that expose ATMs to attacks and they could be affected by even more serious security holes.